 |
||
Total Website Security |
||
|
||
|
|
|
|
|
WhiteHat Security In the News ::
Few Expected to Make June 30 PCI Deadline for Web Application Security
Many firms just now shaking off the mental cobwebs May 12, 2008 (Computerworld) Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance. Read article at Computerworld ››› Deconstructing PCI 6.6
Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance, June 30, 2008, approaches. Most are still evaluating how to strategically ensure compliance with this requirement, while maintaining a strong security posture. The addition of stringent industry guidelines for web application security is long overdue. With the escalating threat of web attacks, organizations must remain vigilant. Web applications are a special breed of living code -- always online, always accessible, always being modified, and always subject to attack. Diligent web application security demands frequent assessment/attack research and findings targeting specific web applications are posted daily. Read article at SCMagazine ››› SQL Injection Attack Infects Hundreds of Thousands of Websites
Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the past 10 days, culling their targets from search engines. Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the MySpace.com domain, but that was against just one domain. Google-Hacking Goes To China
Google has yet to bring its U.S. success to China--only about one in five Chinese Web searches starts at the site. But lately, Google seems to have gained popularity with at least one group of Chinese Web users: some of the country's most successful cybercriminals. Over the past several weeks, researchers have tracked a hacker exploit that's infected more than half a million pages around the Web, invisibly redirecting visitors to those pages to servers that install malicious software on their PCs. The cybercriminals' exploit uses an increasingly common method to decide which pages to infect: Google (nasdaq: GOOG - news - people ) searches that probe sites en masse for hackable weak points. Read article at Forbes ››› Web 2.0 Security Hangover The Web 2.0 party was a great time, but security pros and analysts are waking up to new problems. Web 2.0 applications have certainly made the user experience more interactive, but organizations need to be mindful of their impact on Web site security. Certainly, there are a number of reasons Web sites become an attractive target for hackers; sometimes sites are built prior to an attack being known about, or the developers were in a hurry. Still, some researchers say the Web 2.0 rush has had an impact on security as well, opening up new possibilities for attackers. "The Web used to be a very static delivery method," said Mary Landesman, senior security researcher at ScanSafe. "All we could do is go to a site and read it. We couldn't interact with it." Read article at eWeek ››› The FutureNow List When The FutureNow List debuted a year ago IT security emerged as a spending priority, with the lion’s share of investment made in secure authentication. But as the first signs of the subprime crunch gave way to a crisis and yet another rogue trader got his 15 minutes of fame—this time it was Societe Generale’s Jerome Kerviel—information technology leaders were already turning their attention to risk management and compliance. Timing is everything: Prompted by recent events, politicians and regulators edge toward a sea-change in regulatory oversight. Read article at BTN ››› Hackers infiltrate Google searches Hackers have turned their attention to search engines in the latest attempt to invade the computers of unsuspecting Web users. In the past few weeks, they have taken advantage of Web pages that incorrectly use JavaScript, a computer language used in features like interactive maps, to infect thousands of sites. The altered sites show up in a Google search, and when clicked on, redirect the user to a malicious program that aims to steal information. One goal is to infect users' computers, possibly by installing a device to capture keystrokes, and therefore passwords and other sensitive information. Read article online at the San Francisco Chronicle ››› Google searchers could end up with a new type of bug Cybercrooks are manipulating the computer code used to put the pizazz in millions of websites in hopes of taking over unsuspecting consumers' PCs. The vulnerability occurs when someone does a Google search, then clicks on a result that has been secretly tainted by hackers. They will usually be taken to the Web page they expect. But at the same time, they are invisibly redirected to a computer server that installs a hidden program. This program enables hackers to use the PC to spread spam and carry out scams. Typically, it also lets the attacker embed a keystroke logger, which collects and transmits your passwords and any other sensitive data you type online. Any website indexed by Google goog that fails to carefully handle JavaScript — the coding that activates many cool Web features, such as changing the color of a button when someone mouses over it — is a potential target. That's seven in 10 sites, says tech security firm WhiteHat Security. Hackers have discovered ways to trick the website application to run malicious JavaScripts. Read article online at ABC News ››› WhiteHat Seeks To Protect Top E-Commerce Sites WhiteHat CEO Stephanie Fohn says that you need her company's service if you've got a Web site that takes transactions. WhiteHat is a SaaS vendor that offers back-box penetration tests for Web sites. For most organizations, ferreting out e-commerce site flaws calls for every technique from element testing and hard core code reviews, to a range of tools that help assess code quality and that test site vulnerability. At the highest end, there are consultants who will both provide penetration testing and review code. They're also by far the most expensive. WhiteHat says it's captured the best of both worlds with its service. Here's CEO Fohn explaining the service. From what we can tell, this is relatively high-end stuff, including testing services for PCI 6.6. It's a little concerning that the company won't mention a single reference customer, but for sites that are constantly changing, it's an interesting option. Read article and view video clip online at Information Week ›››
Security researchers have all the fun, like making up the pun-ny names for the new exploits they discover or detect. Case in point: “Phishing with superbait” is an increasing phenomenon in which cyber thieves take over an actual corporate Website using cross-site scripting, says WhiteHat Security founder and CTO Jeremiah Grossman. Cross-site scripting errors remain the most common vulnerability on financial services Websites, Grossman says. Though they aren’t as clever as Grossman in the naming, security vendor Trend Micro confirms in its 2007 Threat Report and 2008 Forecast that “hackers are intensifying their attacks on legitimate Websites,” as the number of compromised legitimate Websites is slowly outnumbering malicious ones created by cyber criminals. Read article online at Bank Technology News ››› New Firefox Flaw Deemed Low-Risk Threat Mozilla officials are investigating a new vulnerability in Firefox that could be exploited by attackers to steal files from a victim's machine. Window Snyder, security chief for Firefox, said on her blog Tuesday that the flaw is located in the chrome protocol handler, which controls the various widgets on a browser...Read article online at SC Magazine ››› The Lurking Perils of Online Transactions E-commerce has been part of the retail world for more than a decade, and today's consumers seem to assume that because of this longevity, their transactions are secure. Beyond this, the average online shoppers are convinced their credit card numbers and other sensitive information are out of reach of attackers with a firewall and antivirus program, combined with shopping at brand-name retail sites...Read article online at Ecommerce Times ››› Apple Fixes a Quartet of QuickTime Flaws With all the hype surrounding Apple this week and its MacWorld event it's easy to forget that Apple is a company under a security siege. More specifically, Apple's QuickTime software has faced far more than its fair share of security woes over the past year. The software plays a critical role in Apple's ability to deliver multimedia content on its Mac and iTunes platforms...Read article online at internetnews.com ›››
WhiteHat Security, the leading provider of website vulnerability management services, today announced that the Silicon Valley YWCA has named the Company’s Chief Executive Officer, Stephanie Fohn, a winner of the 2007 TWIN Award. The YWCA of Silicon Valley’s TWIN Awards Program honors not only women who demonstrate excellence in executive-level positions, but also the companies that employ these women. Fifty-one outstanding executive women from Silicon Valley will be honored May 15, 2008 at the 24th Annual Tribute to Women (TWIN) Awards Program at the San Jose Fairmont Hotel...Read article online at Forbes ›››
An attacker can carry out cross-site scripting (XSS) attacks on a vulnerable system through newly disclosed vulnerabilities in Shockwave Flash (SWF) files. The flaws, which can be found by the thousand via search engine, are caused by an error in the way that input is validated when passed to embedded ActionScript and JavaScript in Flash files, according to the US-CERT, which warned about the issue in an advisory updated today...Read article online at SC Magazine ›››
|
2008 News Archive ›››
WhiteHat Sentinel Service makes PCI 6.6 Compliance Easy ::
|
|
||
|
||
|
||
|
||
By Jaikumar Vijayan
Trey Ford
By Brian Prince
April 2008| 
By Phil Muncaster
By Byron Acohido and Jon Swartz
by Art Wittmann
January 22, 2008 | 
January 16, 2008 | 